DES: a Challenge Problem for Nonmonotonic Reasoning Systems* 
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Abstract 

The US Data Encryption Standard, DES for short, 
is put forward as an interesting benchmark problem 
for nonmonotonic reasoning systems because (i) it pro- 
vides a set of test cases of industrial relevance which 
shares features of randomly generated problems and 
real- world problems, (ii) the representation of DES us- 
ing normal logic programs with the stable model se- 
mantics is simple and easy to understand, and (iii) 
this subclass of logic programs can be seen as an in- 
teresting special case for many other formalizations of 
nonmonotonic reasoning. In this paper we present two 
encodings of DES as logic programs: a direct one out 
of the standard specifications and an optimized one ex- 
tending the work of Massacci and Marraro. The com- 
putational properties of the encodings are studied by 
using them for DES key search with the Smodels sys- 
tem as the implementation of the stable model seman- 
tics. Results indicate that the encodings and Smodels 
are quite competitive: they outperform state-of-the-art 
SAT-checkers working with an optimized encoding of 
DES into SAT and are comparable with a SAT-checker 
that is customized and tuned for the optimized SAT 
encoding. 



Introduction 

Efforts on developing implementations of nonmono- 
tonic reasoning systems have intensified during the last 
years and, in particular, implementation techniques 
for declarative semantics of logic programs (e.g., sta- 
ble model and well-founded semantics) have consid- 
erably advanced. With an increasing number of sys- 
tems the question of suitable test suites arises. Typ- 
ical benchmarks used for testing and comparing such 
systems include problems fro m graph theory, planning , 
and constraint satisfaction (Gholcwiriski et al. 1995 



Dimopoulos, Nebel, fc Koehler 1997[ [Niemela 1999Q 



Ho wever, it io still difficult to find benchmark suites of 



wid a industrial rolovanco. 



In this paper we advocate that logical cryptanaly- 
sis is a good benchmark for nonmonotonic reasoning 
systems. Logical cryptanalysis has been introduced by 



Massacci and Marraro ( 2000| ) as a framework for rea- 
soning about cryptographic algorithms. They pointed 
out that encoding cryptographic problems as SAT prob- 
lems might be beneficial for the automated reasoning 
community as it provides a set of problems of indus- 
trial relevance which optimally shares features of ran- 
domly generated problems and real- world problems. In- 
deed, the encoding of the US Data Encryption Standard 
(PES) into SAT proposed in ( [Massacci fc Marraro 200C| ; 
Massacci 1999) has a number of useful features: 



• it allows to generate random instances of similar 
structure in practically inexhaustible number; 

• it provides solved instances (for which one solution is 
known beforehand) which are very hard, for which we 
can change the value of the solution, and such that 
we can generate as many different (hard) instances 
as we want with the same solution; 

• it has a lot of structure, and the structure is very 
common to many similar problems in hardware ver- 
ification, planning and constraint programming (all- 
diff constraints, defined variables, layered definitions 
etc.). 

These considerations apply to the encoding of crypto- 
graphic problems for nonmonotonic reasoning systems 
with some further advantages: 

• the representation of cryptographic algorithms using 
normal logic programs with the stable model seman- 
tics is extremely simple and easy to understand; 

• normal logic programs with the stable model seman- 
tics can be seen as an interesting special case for many 
other more general formalizations of nonmonotonic 
reasoning. 

Indeed, we can provide a natur al encodin g of PES 



out o f the standard specifications (FIPS 1997; Schncicr 



1994 ; Btinson 1998) as a logic progra m. Massacci and 
Marraro ( Massacci fc Marraro 2000 ) have developed 
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a SAT-encoding of PES where substantial amount of 
preprocessing and optimizations are employed. As an 
alternative encoding of PES using logic programs we 
have upgraded Massacci and Marraro's optimized SAT- 
encoder to deal directly with logic programs. Using 



these encodings one ca n perform mos tfl of the reason- 
ing tasks suggested in (Massacci & Marraro 2000). 

We examine the efficiency of the encodings by using 
an implementati on of the stable model semantics, th e 
Smodels system (Nicmela & Simons 1997; Simons 1998), 
for DES key search and by comparing the performance 
to that of SAT-solvers which use the optimized encoding 
of DES into SAT developed Massacci and Marraro. 

The rest of the paper is organized as follows. We 
start by briefly introducing the stable model semantics 
and by discussing how to encode boolean expressions 
as logic programs. We first describe the direct encod- 
ing of DES to logic programs and then the optimized 
encoding. We finish with some experimental results. 

Logic Programs and Stable Models 

The stable model semantics ( pclfond fc Lifschitz 1988 ) 
generalizes the minimal model semantics of definite pro- 
grams to normal logic program rules 



A <- B x , 



, B m , not Cx, 



, not C„ 



(1) 



where negative body literals (not Cj) are allowed. For 
a ground (variable-free) program P, the stable models 
arc defined as follows. The reduct P s of a program P 
with respect to a set of atoms 5* is the program obtained 
from P by deleting 

1. each rule that has a negative literal not C in its body 
with C £ S and 

2. all negative literals in the remaining rules. 

The reduct P s can be seen as the set of potentially 
applicable rules given the stable model S, i.e., as the 
rules where the negative body literals are satisfied by 
the model. Note that in the reduct the negative body 
literals of the potentially applicable rules are removed 
and, hence, the rules are definite. The idea is that a sta- 
ble model should be grounded (or justified) in the sense 
that every atom in the model is a consequence of the po- 
tentially applicable rules and every consequence of the 
potentially applicable rules is included in the model. 
The atomic consequences of a set of definite rules can 
be captured by the unique minimal model, the least 
model, of the set seen as definite clauses. Hence, a set 
of atoms is a stable model of a program if it coincides 
with the least model of the reduct. 

Definition 1 Let P be a ground program. Then a set 
of ground atoms S is a stable model of P iff S is the 
least model of P s . 



Example 2 Program P 
P 



not q, r 
not p 
not s 
not p 



To be precise the verification of cryptog raphic proper- 
ties proposed in ( Massacci fc Marraro 2000| ) are expressed 
as quantified boolean formulae. These are out of our scope. 



has a stable model S — 
model of P s . 

P s : 



{r, p} because S is the least 



P 
r ■ 



In addition to this model, P has another stable model 
{s,q} which can be verified similarly by constructing the 
reduct and its least model. 

The stable model semantics for programs with vari- 
ables is obtained from the semantics of ground pro- 
grams by employing the notion of Herbrand models. 
The stable models of a program with variables are the 
stable models of the ground instantiation of the pro- 
gram where variables are substituted by terms from the 
Herbrand universe of the program (the ground terms 
built from constants and functions in the program). 

Integrity constraints, i.e., rules of the form 



B\ 



, S m ,not Cx, - ■■ ,not C n 



(2) 



arc often useful for saying that a stable model contain- 
ing Si, ... , B m but none of Cx, ■ ■ ■ , C n is not accept- 
able. These rules can be encoded using ordinary rules^J. 

Example 3 Consider program P in Example ex- 
tended by two integrity constraints 

<— not p, s 
<— r, not q, s 

This program has only one stable model {r, p} as the 
other stable model of P , {s, q}, does not satisfy the first 
integrity constraint above. 

Integrity constraints are a powerful and simple tech- 
nique for pruning unwanted stable models as they can- 
not introduce new stable models but only can eliminate 
them. This means that for a program P and a set of in- 
tegrity constraints IC, if S is a stable model of PUIC, 
then S is a stable model of P. 

From Boolean Logic to Logic Programs 

DES can be seen as a boolean function which takes as 
input a vector of bits consisting of the plaintext and key 
and outputting a vector of bits (the ciphertext). DES 
is specified using standard boolean operators (negation, 
disjunction, conjunction, XOR) as well as boolean func- 
tions given as truth tables. 

In this section we discuss how to encode such boolean 
expressions using logic programs. Here the goal is to 
achieve a compact and potentially computationally ef- 
ficient coding. We aim to exploit the special property 
of the stable model semantics that everything is false 
unless otherwise stated. This means that it is enough 
to consider only the conditions under which an expres- 
sion is true and let the default negation to handle the 
other case when the expression is false. 



2 For example, by introducing two new atoms / and /' 
and a new rule /' <— not /' , / and finally replacing every 
rule of the form (^) with one having / as its head. 



Table 1: Mapping boolean expression to rules 



(sub)expression tp is true (respectively false), it is 
enough to include to P v the rules 



Subexpression 


Rules 


h A • • • A l n 


p*-Ph,. ■ ■ ,pi n 


hv---vi n 


P<~Ph 




P^Pi n 




p <— not pi 


h © h 


P <-Pi x , not p h 




p <- not pi i: pi 2 



Given a boolean expression tp we provide a logic pro- 
gram P v such that satisfying truth assignments of tp and 
stable models of P v coincide. This can be done by in- 
troducing a new atom p^ for each subexpression tp of tp 
and, according the intuition mentioned above, by only 
giving rules stating all conditions on its subexpressions 
under which tp is true. 

In Table @ we give the corresponding rules for dif- 
ferent kinds of subexpressions. We use the convention 
that we denote by p the corresponding new atom of 
the subexpression in question and by pi the new atom 
introduced for any further subexpression I. 

As a further optimization, note that it is not nec- 
essary to introduce a new atom in the program for 
negated subexpressions W as they can be represented 
as 'not pi ' in the program, a positive literal can be rep- 
resented as such, and an expression 'not not a' as 'a'. 

For the rest of the original propositional atoms, which 
are not introduced as abbreviations in the original 
boolean expression, the assumption about the default 
negation is false because they can have any of the two 
truth values. Therefore we encode this by introducing 
a new atom a for each atomic subexpression a and in- 
cluding two rules 

a <— not a (3) 
a <— not a 

stating that either a is in the stable model or a is in the 
model (when a is not there). 

Now the satisfying truth assignments of tp and the 
stable models P v correspond in the following sense: 

1. Each stable model S of P^ induces a truth assign- 
ment T where an atom a is true in T iff a E S and 
for each subexpression tp of tp, ip is true in T iff the 
corresponding new atom p^ is in S. 

2. Each truth assignment T induces a stable model S of 
P v such that for each subexpression tp of tp, tp is true 
in T iff the corresponding new atom p^ is in S. 

In order to consider stable models corresponding to as- 
signments where tp is true, one adds to P v a rule 

<— not p v 

Further constraints on boolean (sub)exprcssions can 
be encoded similarly. In order to ensure that a given 



<— not p^ forces tp to be true 
<— pif, forces tp to be false 

where is the new atom corresponding to tp. Notice 
that our translation can be seen as first breaking the 
boolean expression to a set of equivalences where new 
atoms are defined for each expression and then mapping 
these equivalence to rules. 

Example 4 Consider an expression tp 

(a V -.&) A (-to © b) 

It can be seen as a set of equivalences 

{pi <^P2 Ap 3 ,P2 a V ~^b,p 3 (-ia©&)}. 

Now the program P v is 



Pi 
Pi 
Pi 

P3 
P3 



P2,P3 

a 

not b 

not a, not b 
a, b 



a <— not a 
a <— not a 
b <— not 6 
b «— not b 



For instance, the stable model {a, b,p2} of P v corre- 
sponds to the truth assignment where the atom a is true 
but b is false. If we want to have only models where tp 
true, it is enough to add to P v the rule 

«— not p\ . 

When this is done, the resulting program has two stable 
models: {a,b,pi,p 2 ,Pz\ and {a,b,p 1 ,p 2 ,p 3 ,} ■ 

A boolean function given as a truth table can be repre- 
sented using rules by considering a disjunctive normal 
form representation of the function. This means that 
we give the conditions under which the function obtains 
the value true and provide for each such case a corre- 
sponding rule. 

Example 5 The function f given by the table on the 
left hand side can be encoded by the rules on its right. 



X\ 


X2 


X3 


/ 











1 








1 








1 





1 





1 


1 





1 











1 





1 





1 


1 





1 


1 


1 


1 






/ <— not X\, not X2, not X3 
f <— not x\, X2, not X3 
/ <- £1,0:2, not x 3 



The US Data Encryption Standard 



For a complete description o f PES see flFIPS 19971) , 
dSchneier 1991 , Chap.12), or (|Stinson 1998|) . PES is a 
block-cipher and its input is a 64 bit block of plaintext 
and a 64 bit key, where every eighth bit is a parity check 
bit that is stripped off before the encryption. So, the 
actual key-size of PES is 56 bits. This key is used for 
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(a) 3 rounds of DES 
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E) expansion 
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e(P,B,N) 
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s-boxes 
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(p) permutation 
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DES-function / 



(b) DES function 
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^(PC-2)-^ k(B,l) 



C5D 



( ls!6 ) ( ls!6 ) 
-XI , -XI 



^<PC-2)^ k(B,16) 



(c) keyschedule 

Figure 1: The structure of DES 



generating the round-keys, 48 bit permuted subkeys of 
the key. The output is a 64 bit block of ciphertext. 

The high level structure of DES is presented in Fig- 
ure |l|(a). Following Figure |l|(a) top-down we see that 
DES starts with an initial permutation IP of the 64 bit 
block of plaintex t followed by a structure tha t is called 
a Feistel cipher (Feistel, Notz, & Smith 1975). 

The basic component of a Feistel cipher is called a 
round and is constituted by the following operations: 

1. the input of 64 bits is divided into left and right parts; 

2. the right half (32 bits), together with a round-key, is 
taken as input of a function / (the round function), 
which is described below; 

3. the output of / is XORed with the left half and the 
result is a new right half; 

4. the unaltered old right half becomes the new left half. 

These rounds can now be chained together and the com- 
plete DES contains 16 rounds (Figure l](a) illustrates 
three rounds). The strength of DES depends on the 
number of rounds: after 8 rounds a change in an in- 
put bit affects all output bits. In the end of DES, the 
switching of left and right sides is omitted and the bits 
are again permuted using the inversion of the initial 
permutation. 

DES function /. Inside the function / (see Figure 
|l|(b)) the 32 input bits are first expanded to 48 bits by 
duplicating some of them. The expanded bit string is 
XORed with the round-key given by the keyschedule 
described below. The resulting bits are input to 8 S- 
boxes, 6 bits for each box. The S-boxes are functions of 
six (binary) variables. The output of every S-box con- 
sists of 4 bits. The resulting 32 bits are finally permuted 
according to permutation P. The content of the boxes 
was decided at the time DES was developed and they 
are the only non- linear part of DES, hence the security 
of DES relies on them. 

Keyschedule. The keyschedule function takes as in- 
put the key and provides as out a 48 bit round-key for 
each round of the Feistel cipher. The DES key is a vec- 
tor of 64 bits, where every 8th bit is a parity bit. First 
the parity bits are stripped off, then the keybits are per- 
muted according to the permutation PC-1. The result 
is divided into two parts that are shifted to the left one 
or two positions recursively, see Figure 1(c). After each 
shift the bit string is again permuted (PC-2) in order 
to produce the round-key. 

A Direct Encoding of DES 

We develop first a direct encoding of DES as a logic 
program. It does not contain any optimization and the 
idea is to keep the code simple and readable. The code 
can be used for encryption or key search]^] with several 

3 We have been successful only for limited versions of DES 
where the number of rounds is less than 16 (the full version). 



plaintext-ciphertext pairs (the known plaintext attack) . 

The encoding is given as rules with variables. How- 
ever, each variable has a domain predicate in the body 
of the rule so that a set of ground instances with ex- 
actly the same stable models is straightforward to de- 
termine. The predicates contain variables P indicating 
a plaintext-ciphertext pair and N for round. The corre- 
sponding domain predicates are round(N) and pair(P) 
which specify the relevant rounds and pairs, respec- 
tively. The total number of rounds is denoted by a 
constant r. For instance, if we are considering a three 
round version of DES with two plaintext-ciphertext 
pairs, these domain predicates would be defined using 
the facts: 

round(O) round(2) pair(l) 
round(l) round(3) pair(2) 

We describe first DES as used for encryption and then 
indicate changes needed to be done, e.g., for key search. 
The plaintext is given as facts p(P, B), where B £ [1, 64] 
gives the number of the bit and P indicates the pair in 
question. Note that only facts for true plaintext bits 
need to be written. For instance, a set of facts 

{p(l,l),p(l,2),...,p(l,16)} 

specifies that in the first plaintext-ciphertext pair, the 
plaintext bits 1, . . . , 16 are true and all other false. 

Round Operations 

The rules which encode the round operations, i.e., the 
rules that join the previous round to the next, are sum- 
marized in Figure @. They work as follows. 

For the first round, the 64-bit block of plaintext is 
first permuted according to the initial-permutation IP 
which is given as a set of facts 

{zp(l,40),..., ip (9,39)} 

Using these facts the rule for permuted -plaintext (r.l) 
is easy to express. 

For each pair P, the bits are divided in two 32 bit 
parts and renumbered. The renumbering is used only 
to make the description of the function / easier to write 
and understand and it is done by dividing both halves 
(32 bits) into 8 groups with each 4 bits. The bits are 
numbered so that the first digit represents the group 
and the second digit represents the bit. For example, 
bit 32, is the second bit in the third group. This renum- 
bering is given as facts: 

renumber Je/i(l, 11) renumber_right(33, 11) 

renumber Je ft (2, 12) renumber_right(3A, 12) 

renumber Jeft(3, 13) renumber_right(35, 13) 

renumber Je/i(4, 14) renumber jright(36, 14) 

renumber Je/i(5, 21) renumber jright(37 ', 21) 

renumber Je/t(32, 84) renumber jright(64: 1 84) 

These facts are used in the rules r.2 and r.3 specifying 
the right and left parts where the predicate bit(B) is de- 
fined using a set of facts giving the possible renumbered 
bits 11, 12, 13, 14, 21,..., 84. 



(r.l) permuted_plaintext(P, Bl) <— ip(B, Bl),p(P, B),pair(P) 

(r.2) r(P, IB, 0) <— permuted-plaintext(P, Bl), renumber jright(Bl, I B) , pair(P) , bit(B) 

(r.3) ^(P, PB, 0) <— permuted jplaintext(P, Bl), renumber Jeft(Bl, I B) , pair(P) , bit(B) 

(r.4) l(P,B,N+l) <-r(P,B,N),N + 1 < r,bit(B),pair(P),round(N),round(N + 1) 

(r.5) r{P,B,N + 1) <- Z(P, P, TV), not f(P, B, TV + 1), TV + 1 < r, bit (B), pair (P),round{N),round(N + 1) 

(r.6) r(P, P, AT + 1) <— not Z(P, P, TV), /(P, P, TV + 1), TV + 1< r, bit(B),pair(P), round(N), round(N + 1) 

(r.7) r(P,B,r) «- r(P, P,r - l),bit(B),pair(P) 

(r.8) l(P,B,r) <- l(P,B,r- l),not f(P,B,r),bit(B),pair(P) 

(r.9) l(P,B,r) «- not l{P,B,r - 1), f(P, B, r), bit (B), pair (P) 

(r.10) unpermutedjzipher(P, Bl) *— r(P, I B , r) , renumber _right(Bl, I B) , pair(P) 

(r.ll) unpermuted-cipher(P, Bl) *— l(P, IB, r), renumber Jeft(Bl, IB), pair(P) 

(r.12) cipher(P, BC) *— ip(BC, Bl), unper muted ..cipher {P, Bl),pair(P) 

Figure 2: Round operations 



For each round TV + 1 and each plaintext-ciphertext 
pair P, the left and right parts Z(P, B,N + 1) and 
r(P,B,N + 1) can be defined in terms of the previ- 
ous parts and the result of the function / as follows. 
The right side is swapped to the left (r.4) and the left 
side is XORed with the output of / to form the right 
side for the next round (r.5-r.6). 

In the final round the switching of left and right 
halves is omitted (r.7-r.9) but the renumbering is un- 
done and the final permutation (r.lO-r.12) is applied. 

Function / 

For each round TV and for each pair P, the function 
/ takes as input the 32 bits of the right part of the 
previous round r(P, B,N — 1) and a 48 bit round-key 
k(B, N) and works as follows. First every group of the 
right part is expanded from 4 to 6 bits. For example, 
the rule 

e(P,65,TV)<- r(P, 64, TV- l),round(N), 

round(N — l),pair{P) (4) 

means that the 4th bit in the 6th group becomes the 
5th bit in the 6th group. The expanded bit string is 
XORed with the key bits: 

a{P,B,N)^- e(P,P,TV),not k{B,N), 

round(N),N ^ 0,pair(P), ebit(B) 

a(P,B,N)<- not e(P, P, N),k(B, TV), 

round(N),N ^ 0,pair(P),ebit(B) 

where the predicate ebit(B) is defined using a set 
of facts giving the possible extended renumbered bits 
11, 12, 13, 14, 15, 16, 21,..., 86. 

The resulting groups of 6 bits are the input of their 
respective S-boxes. The output of every S-box consists 
of 4 bits. If we consider the output one bit at the time, 
the S-boxes can be seen as truth tables. For example, if 
the input to the second S-box is 010101, it's output is 
0001. We can encode this behavior with the following 
rule: 

b{P, 24, TV) «- not a(P, 21, TV), a(P, 22, TV), 
not a(P, 23, TV), a(P, 24, TV), 
not a(P, 25, TV), a(P, 26, TV), 
round(N),N ^ 0,pair(P). 



Once again, with the stable models semantics only rules 
that imply true output bits are needed (see, Exam- 
ple ||). In this case, the output bits 1-3 are zeros, there- 
fore no rules are needed for them. In the end of the 
DES function, the vector of bits is permuted according 
to the permutation P. The rules for permutation are 
similar to the ones in expansion. 

For each round TV, the keyschedule is given as a set 
of rules using the key bit facts key(K). For example, 
the rule 

fc(ll,l) <- key (10), round(l) 

specifies that in the first round the (renumbered) bit 11 
of the round-key is determined by the key bit 10. The 
stages presented in Figure |](c) and the renumbering is 
calculated beforehand in order to avoid some modulo 
arithmetic. This can be done because the keyschedule 
is independent of the plaintext to be used. 

Encryption and key search 

The encoding can be easily modified to solve many 
kinds of computational problems related to DES by 
changing the way the plaintext, ciphertext and the key 
are encoded. 

Encryption: It is sufficient to give the true bits B of 
the plaintext as facts p(P, B) for each pair P and the 
true bits of the key as facts key(K) . Now for each pair 
P, the true bits of the encrypted ciphertext can be 
recovered as ground facts cipher(P, B) in the unique 
stable model of the encoding with the plaintext and 
key facts. 

Decryption: The true bits of the key are specified as 
facts key(K), the ciphertext is given in the form 

<— cipheriP, B) for 0-bits 

«— not cipher(P, B) for 1-bits 

and the plaintext by the rules of the form (||) saying 
that one can choose the truth values of the ground 
atoms p(P, B). Then the decrypted plaintext is given 
by the stable model of the encoding: for each true bit 
of the plaintext a ground fact p(P, B) is in the model. 
Actually, DES is symmetric. This means that de- 
cryption is usually done the same way as encryption, 



using the key schedule in reverse order and the ci- 
phcrtext in place of the plaintext. 

Known plaintext attack: For this attack we assume 
that a certain number of pairs of plaintexts and the 
corresponding ciphertexts are available and that we 
want to recover the key. For each pair P, the true 
bits B of the plaintext are given as facts p(P, B), the 
ciphertext is given in the form 



cipher(P, B) 
not cipher(P, B) 



for 0-bits 
for 1-bits 



and the key is given by rules of the form (||) 

key(k) <— not key{k) 

key(k) <— not key(k) 

specifying that the truth values of the ground atoms 
key(k) corresponding to the key bits can be chosen. 
Then the stable models of the resulting encoding cor- 
respond to the possible keys yielding the ciphertext 
from the plaintext for each pair P. A key is given 
as ground facts key(K) in the corresponding stable 
model for all true key bits. 

An Optimized Encoding of DES 



Massacci and Marraro ( Massacci fc Marraro 2000 ) have 



devised an optimized encoding of DES to SAT which is 
particularly effective when the plaintext and the cipher- 
text are used in a known plaintext attack. We show 
how to modify this to work with logic programs. We 
sketch here just the mai n ideas to make the paper self- 
contained and refer to (Massacci & Marraro 2000D for 
further details on the encoding. 

The basic idea of the direct encoding is to represent 
each step of DES as a logic program, the more straight- 
forward, the better. For the optimized encoding we 
start from a different direction and represent DES as a 
logical circuit in which each operation is represented as 
a boolean formula. 

Then, for the operations that are repeated at each 
round (such as the round function /) we apply off- 
line some advanced CAD minimization techniques to 
s queeze their size as much as possible. In particular in 
( Massacci fc Marraro 200C ) the CAD pr ogram Espresso 
( Rudcll & Sangiovanni-Vinccntclli 1987 ) has been used 
for minimizing the representation of S-Boxes as Pro- 
grammable Logic Arrays (PLAs). The PLA represen- 
tation is just a representation of boolean functions with 
disjunctions of conjunctions. 

This yields a notable squeeze in the size of the 
boolean formulae representing the corresponding oper- 
ations of the S-Boxes but is not enough. The second 
important twist is that whenever possible, the program 
"executes" directly the DES operations on the prepo- 
sitional variables representing the input bits. For in- 
stance, a permutation is not encoded into a boolean 
formula, rather the program executes the permutation 
of the input bits and provides as output the permuted 
propositional variables. 



The simplifying effect of this operation can be also 
explained as a form of partial evaluation in the di- 
rect encoding of DES. Consider, for instance, the logic 
program rule (Q). The net effect of the "execution" 
step is that e(P, 65, N + 1) is replaced everywhere by 
r(P, 64, N). 

At the end of this process the encod er program 



def2fml used in ( Massacci fc Marraro 200C ) could out- 
put a minimized logic program corresponding to DES 
w.r.t. the direct encoding that we have described in the 
previous section using the rules we have given in the 
section on coding boolean formulae. 

We can do more when the plaintext and the cipher- 
text are known, i.e. when we want to perform a known 
plaintext attack. In particular, with a boolean repre- 
sentation we can perform a notable amount of linear 
rea soning (reasoni ng using formulae with exclusive or). 
In ( Massacci 1999| ) it is noted that the presence of ex- 
clusive or is what makes the problem hard for state-of- 
the-art SAT checkers and therefore its minimization is 
essential. 

So, for the encoding we acquire the boolean values 
corresponding to plaintext and ciphertext and prepro- 
cess the formula by applying exhaustively a set of sim- 
plification rules aimed at eliminating redundancies: 

1. Variables defined by atomic equivalences^ are re- 
placed by the corresponding values to reduce the 
number of variables in other formulae, and to intro- 
duce the truth values. 

2. The propositional simplification rules listed in Fig- 
ure U are applied. 

The second step (propositional simplification) may in- 
troduce additional atomic equivalences and therefore 
the overall simplification phase is repeated until satu- 
ration is reached. 

Notice that such preprocessing, and in particular the 
operations involving exclusive or, cannot be performed 
with a logic program representation (at least with cur- 
rent technology). 

The resulting formula is then translated into a logic 
program using a further optimized translation w.r.t. 
that presented in the section on boolean encoding. We 
can exploit the knowledge that the final formula we got 
has the form shown in Figure |i| (adapted from ( Mas- 
sacci fc_Marraro 2000 )) and translate it as shown in 
Figure [| The variables P and N stand for the number 
of pair and rounds, according the format of the direct 
encoding. The letter b corresponds to a suitable ground 
value of the bit number represented by the variable B 
used in the direct encoding. Notice that the final out- 
put is a ground logic program so that N and P are 
appropriately instantiated by the optimizing encoder. 

Notice that the translation of the formula is done 
piecewise: each equivalence is translated in a suitable 



4 We define an atomic equivalence as a formula of the 
form V <4> F where V is a variable and F is either another 
variable or a truth value. 



r 



r(P,b,3) «- ±s(P, b', 1), not s(P,6",3) x(P,b,2) <- ±s(P, b', 1), not fc(6",2) 

r(P,M) <-not ±s(P,6',l),s(P,6",3) x(P,b,2) <- ±not s(P, 6', 1), fc (6", 2) 

r(P,6,4) «- ±s(P, 6', 2), not s(P,&",4) x(P,M) <- ±s(P, 6', 2), not fc(6",3) 

r(P,6,4) «- ±not s(P, 6', 2), s(P, 6", 4) z(P,M) <- ±not s(P, 6', 2), 3) 

r(P,b,N) <- r(P,&',iV- 2), not a(P,b",N),5 < TV < r - 4 x(P,b,N) <- r(P,b',N- l),not k(b",N),4< N < r - 3 

r{P,b,N) <- not r(P,6 / ,JV-2),s(P,6",iV),5 < TV < r - 4 x(P,b,N) <- not r(P,b',N- l),k(b",N),4< TV < r - 3 

s(P,b,N) <- m(P,b',N), I < N < r and 1 < b' < n N x(P,b,r - 2) <- ±s(P,6',r- l),not k(b",r- 1) 

s(P, 6, r - 1) <- ±r(P, 6', r - 5), not s(P, 6", r - 3) x(P, 6, r - 2) <- ±not s(P, 6', r - 1), fc(&", r - 1) 

s(P,b,r- 1) <- not ± r(P, 6', r - 5), s(P, 6",r - 3) s(P,6,r- 1) <- ±s(P, 6', r), not fc(6",r) 

s(P, 6, r) <- ±r(P, 6', r - 4), not s(P, 6", r - 2) ac(P, 6, r - 1) <- dbnot s(P, 6', r),k(b", r) 
s(P, 6, r) <- not ± r(P, 6", r - 4), s(P, 6", r - 2) 
m(P, 6. 1) <- ±fc(6', 1), . . . ± fc(6", 1) 

m(P, 6, TV) 4- x(p 6', iV)i, . . . , x(P, 6", TV)„„, 2 < TV < r - 1 
m(P, 6, r) <- ±fc(6', r), . . . ± jfc(6", r) 

Figure 5: Optimized logic program for DES with r rounds 
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Figure 3: Simplification rules 



number of rules: we use one rule for conjunctions, two 
rules for XORs, and many rules of disjunctions (as many 
as there are disjuncts). The trick is that we only en- 
code one direction of the the equivalence exploiting the 
property of logic programs that "everything is false by 
default" . In this way we have only to specify when a 
boolean formula may be true. 

However, this is still not sufficient because the trans- 
lation as sketched is not faithful: we might have more 
than one "definition" of the same atom, i.e. one or more 
formulae of the form A o- 4>i for the same atom A. 

If we left it that way, there would not be a one- 
one correspondence between stable models and preposi- 
tional truth assignments. We would have more models 
than due. So we need a further twist to cope with atoms 



r(P, 6, 3) ±s(P, 6", 1) © s(P, 6", 3) 

r(P, b, 4) ±s(P, b', 2) © s(P, 6", 4) 

r(P,6, TV) &r(P,b',N-2) ®s(P,b",N),5 <N< r-4 

s(P, b, TV) \J b , m(P, V, TV), N = 1 . . . r 

±s(P, b,r-l)<& r(P, 6', r - 5) © s(P, 6", r - 3) 

±s(P, 6, r) O r(P, 5', r-4) © s(P, 6", r - 2) 

m(P, 6, 1)^A 6 ' ±fc(M) 

m(P, 6, TV) <£> j\ b , z(P 6', TV), 2 < TV < r - I 

m(P,b,r) Aft' ±fc(6',r) 

a;(P, 6, 2) ±s(P, 6', 1) © k(b", 2) 

x(P, b, 3) ±s(P, 6', 2) © k(b", 3) 

a;(P, 6, TV) o r(P, 6', i - 1) © TV),4<TV<r-3 

cc(P, 6, r - 2) ±s(P, 6', r - 1) © fc(6", r - 1) 

x(P, b, r - 1) ^ ±s(&', r) © fc(6", r) 

Figure 4: Simplified DES formulae for r rounds with 
known plaintext and ciphertext 



that are defined (are on the left of the equivalence sign 
in Figure ^) two or more times. Suppose that we have 
a set of formulae of the form: 

tpi, . . . ,a ^ cp n . 

and that P a <^> Vi denotes the fragment of the logic pro- 
gram translating the boolean formula a <t=> ipt according 
the rules we have used in Table [j] and Figure ||. 
We translate this set of formulae as follows: 

Boolean formula Logic program 

a <^ (fl P a -^ Vl 

a ip 2 a <— a,2 

<— a, not ci2 

Pa 2 -S4>i/>2 

a 43> tp n a <— a rl 

<— a, not a n 

Pa n Otp n 

One may check that this is a faithful translation of the 



corresponding boolean formulae. The intuitive expla- 
nation is simply that the boolean set of formulae, read 
conjunctively, just says that all tpi must have the same 
value and this value must also be assigned to a. The 
first rule chooses a value, say (pi and assign it to a as 
in the standard encoding. The rest of the construction 
assigns the value of ifi to a new atom a, and then spec- 
ifies that a is true when is true and that at cannot 
be false when a is true. 

Then we add the rules (^) saying that one can choose 
the truth values of the atoms corresponding to key bits, 
as we do for the direct encoding, and we are done. 

Experiments 

We study the computational properties of the two logic 
program encodings of DES by using them for key search 
in a known plaintext attack for a limited form of DES 
running a given number of rounds. For each num- 
ber of rounds and pairs of plaintext-ciphertext blocks 
we perform 50 key searches using different randomly 
generated plaintexts and report the mean of the run- 
ning time and of the size of the search tree. The tests 
were run under Linux 2.2.12 on 450 MHz Pentium III 
computers. The encodings and test cases are avail- 
able at http://www.tcs.hut.fi/Software/smodels/ 
tests/des .html. 

Table § reports the data on Smodels's performance. 
The running times do not include preprocessing. For 
the direct encoding (Dir.) preprocessing consists of 
parsing and grounding of the rules which is done by 
the standard Smodels parser lparse. This takes only 
few seconds even for the largest examples. For the op- 
timized encoding (Opt.) preprocessing is more involved 
as explained in the previous section. It includes off- 
line minimization of boolean functions used in DES, 
partial evaluating the DES description, simplifying it 
using the known plaintexts-ciphertext pairs, transform- 
ing the resulting boolean formula to a set of ground 
logic program rules as well as parsing the rules into the 
internal format of smodels. Hence, in both cases pre- 
processing produces a ground program parsed into the 
internal format of smodels. Table |^ gives the average 
running time and search space size for smodels (version 
2.25 with -back jump option) to find a stable model (a 
key) for such a ground program. Entries marked with 
' — ' are cases where the set of 50 key searches could not 
be completed because the running time for each key 
search extended several CPU hours. 

Both encodings have a reasonable performance (al- 
though it should be noted that special purpose meth- 
ods and hardware are able to perform known plaintext 
attacks successfully even to the full DES). The direct 
encoding does not seem to be able to propagate the in- 
formation from the known plaintext-ciphertext pairs as 
efficiently as the preprocessing techniques in the op- 
timized encoding. The search heuristics of smodels 
yields a rather stable performance on these DES ex- 
amples except for the optimized encoding with three 
rounds and two blocks where there are three orders of 



Table 2: Smodels on DES 
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Table 3: reLsat on DES 
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magnitude differences in the minimal and maximal ob- 
served running times and search space sizes. 

We compare the performance of Smodels to that of 
a SAT-checker which has been customized and tuned 
for the optimized SAT-encoding of DES described in 
QMassacci 1999| ; [Massacci fc Marraro 2000| ). Thi s SAT - 
checker, based on reLsat by Bayardo and Schrag (1997), 



clearly outperfo rms state-of-the-art SAT- checkers on 
DES encodings (Massacci & Marraro 2000). 

Table || reports the data on reLsat. The data does 
not include preprocessing which in this case is similar 
to that of the optimized logic program encoding with 
the addition that it includes also the transformation of 
the optimized DES description (a boolean formula) to 
a compact conjunctive normal form (CNF) represen- 
tation. Table presents the average running time and 
search space size for reLsat to find a propositional model 
(a key) for this CNF formula. 

From this preliminary analysis one can say that the 
usage of stable models as computational paradigm to 
be used in practice does not score at all badly for such 
an industrial application. 



Conclusions 

We believe that DES provides an interesting benchmark 
problem for nonmonotonic reasoning systems because 
(i) it supplies practically inexhaustible number of indus- 
trial relevant test cases, (ii) the encoding of DES using 
normal logic programs with the stable model semantics 
is easy to understand, and (iii) test cases are obtained 
for many nonmonotonic formalisms which contain this 
subclass of logic programs as a special case. We have 
developed a direct encoding and an optimized one ex- 
tending the work of Massacci and Marraro. We have 
also tested the computational performance of the en- 
codings using the Smodels system. 

As DES is basically a boolean function, its encod- 
ing does not require any particular nonmonotonic con- 
structs. In our encoding we have used default nega- 
tion in a straightforward way (everything is false unless 
otherwise stated), to obtain a much leaner encoding 
than those obtained by encoding DES as a SAT formula 
(where both ways of the equivalence are needed). The 
resulting encodings are acyclic sets of rules which are 
compact but fairly simple to write and understand. It 
seems that they are more easier to understand than cor- 
responding encodings of DES using CNF clauses which 
is the typical input format for current state-of-the-art 
SAT-checkers. Given that DES key search is a natural 
boolean satisfiability problem, it is somewhat surpris- 
ing that our encodings are competitive when compared 
to state-of-the-art SAT-checkers and even to a tuned 
and customized SAT-checker working on an optimized 
SAT-encoding of DES. We think that the success can 
be accounted for by the compactness of the logic pro- 
gram encoding and the search methods and pruning 
techniques employed in the Smodels system. 

In order to obtain a deeper understanding of the rela- 
tive strengths of SAT-checkers and stable model imple- 
mentations, an interesting comparison would be to map 
the stable model finding problem of DES key search di- 
rectly to a satisfiability problem and use a state-of-the- 
art SAT-checker to solve the resulting problem. As our 
encodings are acyclic programs, the redu ction could be 
done using, e.g., a completion approach (Fages 1994). 
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